Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...

Avatar for no1zy no1zy
March 11, 2019
5
1.7k

Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function

Burp Suite Japan LT Carnivalでの発表資料

Avatar for no1zy

no1zy

March 11, 2019
Tweet

More Decks by no1zy

See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
Avatar for no1zy no1zy
14
4.7k

Featured

See All Featured
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.9k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
96
6.1k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
520
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.4k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
207
24k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
223
9.7k

Transcript

  1. Burp SuiteͷศརͳػೳͰ όάό΢ϯςΟ No1zy

  2. ࣗݾ঺հ • twitter: @no1zy_sec • ৘ใܥઐ໳ֶੜ • ৽ถόάϋϯλʔ • ڈ೥ͷ֫ಘใ঑ۚ૯ֹ

    612ສԁ

  3. όάϋϯλʔ͸Burp Suite͕େ޷͖ The 2019 Hacker Report

  4. Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ

  5. ঺հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze

    target શͯPro൛ͷΈͰར༻Ͱ͖Δ

  6. 1. Burp Collaborator client

  7. Burp Collaborator client • ֎෦ͷ଴ͪड͚αʔόʔͱͯ͠ͷ໾ׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •

    DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ

  8. ࢖͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ

  9. ࢖͍ํ 2. Copy to clipboardΛΫϦοΫ

  10. ࢖͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ઀ଓςετ

  11. ࢖͍ํ • ϦΫΤετΛ֬ೝ͢Δ

  12. SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ

  13. SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢Δػೳ͸ɺSSRF͕Մೳͳ৔߹͕͋Δ

  14. http://127.0.0.1:22 SSRF Payload

  15. SSRFͷςετྫ Ϩεϙϯε

  16. http://127.0.0.1:4444 SSRF Payload

  17. SSRFͷςετྫ Ϩεϙϯε

  18. ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ

  19. None

  20. 2. Find Script

  21. Find Script • JavaScriptϑΝΠϧΛऩू͢Δ໨తͰ࢖༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີ৘ใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹ໾ཱͯΔ͜ͱ͕Ͱ͖Δ

  22. ࢖͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s

  23. ࢖͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ

  24. ࢖͍ํ • Export scriptsͰϑΝΠϧʹநग़΋Ͱ͖Δ

  25. APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ

  26. JSParser

  27. 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ

  28. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only

    ʹνΣοΫ͠ js ͱೖྗ

  29. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 3. ΞΠςϜΛશબ୒͢Δ

  30. HistoryͷϑΟϧλϦϯάػೳͰ΋୅༻Մೳ 4. Copy URLsΛΫϦοΫ

  31. 2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ෇͚ 2. JSParseΛΫϦοΫ

  32. ৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬཰Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ

  33. 3. Analyze target

  34. Analyze target • Ͳͷύϥϝʔλ͕Կճ࢖༻͞Ε͍ͯΔ͔೺Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։΍ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ৔߹͕͋Δ

  35. ࢖͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ

  36. ࢖͍ํ ղੳ݁ՌΛ֬ೝ͢Δ

  37. Happy Hunting!